Various NERC Topics and Why Should You Care?
by Arina Smith Technology 27 October 2021
The NERC CIP standards are mandatory security guidelines for companies that manage or control facilities that comprise the U.S. and Canadian electric power grid.
They were first accepted through the Federal Energy Regulatory Commission (FERC) in the year 2008. Their broad-based requirements have prompted substantial amounts of investment for the regulated utilities.
They have created the foundation for cybersecurity awareness in the electric utilities within North America. However, it is their basis as the model for a future list of Operating Technology cyber security compliance program management across the globe that will make the regulations mandatory for all industrial managers worldwide.
Which Topics Do NERC CIP Standards Cover?
|Retired Sabotage Reporting
Asset Classification & Identification
|Plan Maintenance & Creation – Low-Priority Components
Senior Accountable Executive Designation
Plan Maintenance & Creation
Governance & Policy
Training Access Management
Staff & Training Security Awareness
|Setting Up Electronic Security Measures or Equivalents
Security of Network
Protected Interactive Virtual Access Management
|Physical Security Policies
Monitoring & Creation of Physical Security Measures
Physical Protection of Cyber Components
|Control of System Security
Credential and Password Management
Management of Patch
Shared Accounts Management
Services & Ports Management
Logging of Security Event
Prevention of Malware
|Incident Response for Cyber Security
Restoration and Backup
|Transient Cyber Assets Management
Change Monitoring and Management
Vulnerability and Change Management
Management of Vulnerability
Configuration Management and Capture
|BES Cyber System Records Protection
Classification and Protection of Records
|Communications of Control Center
|Security of Supply Chain
|Key Substations Physical Security
The NERC standards typically cover the same broad topics as other cybersecurity frameworks like NIST CSF or CIS Top 20 Controls.
However, the NERC standards are much more explicit than these frameworks. They can be enforced on organizations that are subject to them, which includes imposing possibly large fines in the event of non-compliance.
Although these guidelines are crucial and could lead to fines if they’re not adhered to, some need more detail and explanation.
Why are NERC CIP Standards Important?
If you’re a North American electric utility, you must be aware that the NERC CIP standards demand substantial investment and the risk of penalties. Although most fines are in the lower five figures, more than one million dollars have been handed out due to a series of systemic violations.
The real impact of a flawed audit report is greater than the sum of the fine. Falsely reported violations or negative audit findings can cause management issues with shareholders, boards regulators, board members, and other stakeholders.
Outside of the energy utilities, which are the main subject on the agenda of NERC CIP, however, industries throughout North America and the world must begin to understand these standards and be prepared for similar requirements in their respective industries.
So, What’s The Takeaway?
The future of cybersecurity regulation is obvious – more prescriptive requirements and more auditing by regulators. This will need a significant shift in thinking, investment, and initiatives among industries across the globe.
Since the risk is more significant, we’d expect these new standards to be implemented more quickly as NERC CIP did. This will also imply lesser planning & development time, however, the scope will be as important as scoping NERC CIP.
Cyber security is frequently called “defense in depth”. It is not clear if that is an appropriate description of current threats. The truth is, a company can’t just leap into maturity “5”.
The earlier it starts to map its course – by using NERC CIP and various frameworks as its guides, the more achievable getting future compliance with the law can be.